CVE-2021-26084
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5Description
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
Analysis
Confluence Server and Data Center contain an OGNL injection vulnerability allowing unauthenticated remote code execution, triggering mass exploitation campaigns for cryptocurrency mining and ransomware in September 2021.
Technical Context
The CWE-917 OGNL (Object-Graph Navigation Language) injection allows attackers to inject OGNL expressions through user-controllable parameters. Confluence's Webwork framework evaluates these expressions server-side, enabling execution of arbitrary Java code and OS commands.
Affected Products
['Confluence Server before 6.13.23', 'Confluence Server 6.14.0 before 7.4.11', 'Confluence Server 7.5.0 before 7.11.6', 'Confluence Server 7.12.0 before 7.12.5']
Remediation
Upgrade Confluence immediately. Check for web shells and cryptominers. Review Confluence content for evidence of data exfiltration. Restrict external access to Confluence.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today